CVE-2024-39912

Name of the Vulnerable Software and Affected Versions web-auth/webauthn-lib versions prior to 4.9.0

Description The issue is related to the ProfileBasedRequestOptionsBuilder method in the web-auth/webauthn-lib library, which returns allowedCredentials without any credentials if no username was found. This allows an attacker to enumerate usernames based on the absence of the allowedCredentials property in the assertion options response. By knowing which usernames are valid, attackers can focus their efforts on a smaller set of potential targets, increasing the efficiency and likelihood of successful attacks.

Recommendations For versions prior to 4.9.0, upgrade to version 4.9.0 to address the issue. As a temporary workaround, consider modifying the ProfileBasedRequestOptionsBuilder method to return random credentials when no username is found, as proposed in the provided code snippet. Restrict access to the vulnerable method to minimize the risk of exploitation. Avoid using the allowedCredentials property in the assertion options response until the issue is resolved.